The official Wireshark blog

We’re switching to Qt.

Today I released the next development version of Wireshark, 1.11.0. This marks a major change in the direction of the project. We’re switching our user interface library from GTK+ to Qt. Both libraries make it easy for developers write applications that will run on different platforms without having to rewrite a lot of code. GTK+ has had a huge impact on the way Wireshark looks and feels and on its popularity but it doesn’t cover our supported platforms as effectively as it should and the situation is getting worse as time goes on.

Making such a large change wasn’t an easy decision. It means rewriting thousands of lines of code and requires a lot of careful design. We might be the largest standalone application to make this transition (feel free to correct me below). However, I think it’s well worth it and that it’s important to the long-term direction of the project. Ultimately it came down to one thing:

Wireshark’s job is to show you what’s happening on your network. If it can’t run on your system then it’s not doing that job.

If you’re using Windows, Mac OS X, or Linux Mint we need to support Windows, Mac OS X, and Linux Mint. If you’re using an iPad or a Galaxy Note we need to give you a long, hard, nonplussed stare and think about supporting IOS and Android at some point.

When I started writing Ethereal (Wireshark’s original name) it looked like this:

It looked like that on Linux and Solaris. It didn’t look like that anywhere else because those were the only two platforms we supported. I chose GTK+ for the user interface toolkit because it made the most sense. Compared to the options available at the time it had a number of advantages. It was small, light, easy to work with, had an active development team, and had a compatible license. A short time later we added support for Windows. GTK+ had some initial compatibility issues on Windows but it has gotten better over time.

Since then the platform landscape has changed but unfortunately GTK+ hasn’t. Most notably Mac OS X has gained popularity and people are starting to ask about Wireshark for their tablets. GTK+ supports OS X but it’s definitely a second-tier platform, making it hard to install and use. We either have to require X11 (like Inkscape) or use an experimental native GTK+ port (like GIMP). Either way it requires a lot of effort on the part of developers to produce a substandard application for users. With GTK+ Wireshark doesn’t look or act at all like a Mac OS X application:

Qt on the other hand provides a nice, clean user experience on all of the platforms that we currently support. If you install the 64-bit version it now looks like this:

What does this mean for users?

If you’re a power user you should probably keep using the GTK+ flavor for the time being. You should also test the Qt flavor from time to time to see how your workflow will change. Both are installed by default on Windows and Linux.

If you’re running OS X you should use the Qt flavor. For common tasks it should have a better workflow. Again, if it doesn’t we aren’t doing our job.

What does this mean for developers?

If you’re developing a new feature using GTK+ you should stop. You’re very likely wasting your time. If you would like to help with the migration grab the code and start developing.

What works?

Everything under the “File” and “Edit” menus.

You can capture, filter, and inspect traffic.

You can edit preferences.

You can follow streams.

You can view TCP stream graphs.

What doesn’t work?

Everything else. No capture options, I/O graphs, flow graphs, VoIP analysis, etc. We still have a lot of work to do.

Switching to Qt is a long and arduous process but I’m excited about what the future holds.

@yegle Did you install the 32- or 64-bit package? The Qt flavor ships with the 64-bit installer but not the 32-bit one. I’m hoping to move both to Qt at some point. If you want to build a 32-bit version from source you’ll have to recompile Qt as well.

I remember writing cross platform desktop applications… for a product we developed SimoHealth… it was first written in Gtk+ but we migrated to XULRunner. It make it incredibly easy to maintain our C++ backend code but have a JS/HTML/XUL frontend… Very similar to now writing web applications… JS/HTML is very good at cross platform user interface… I’m not sure how XULRunner has evolved since 2005 but it was pretty amazing to work with back then… I’d never consider writing native code for user interface again…

As a user, this is a little disappointing. I find Qt apps even worse than GTK+ apps, because Qt tries to look the same as native apps, even though the behavior is still wrong. At least GTK+ looks different, which accurately reflects that it acts different. Current GTK+ Wireshark looks like “a foreign app trying to look like Motif, poorly”, while the new Qt Wireshark looks like “a foreign app trying to look like OS X, poorly”.

The poster child for “free cross platform app using a cross platform GUI toolkit” is perhaps Firefox, which is the most frustrating Mac app in the world, because it looks 99% correct and acts 95% correct for a Mac app. I can sometimes use it for minutes at a time between remembering that the native keyboard shortcuts are only about 75% working (like in this text box).

I’m not a Wireshark developer, so I can’t really criticize. It’s great that you’re supporting this software at all. I guess if it requires less effort “to produce a substandard application for users” by making this switch, then more power to you. There’s not really any free competition, so it’s not like you’re going to lose any users over this. So while I don’t like it, I realize I don’t have a leg to stand on to criticize anyone here.

that makes a lot of sense ! Qt, either under the ruling of TrollTech, or Nokia, or Digia is really an extremely lively project with outstanding support for a large variety of platforms. I remember that I made that big decision almost ten years ago for a large scientific software project with a large GUI module (massXpert) that I was authoring with Gtk+. I never looked back, *really*. The Qt libs for non-GUI stuff are extremely

“We might be the largest standalone application to make this transition”. In as much as these statement is true, i thing we also have Opensot (One of the best video editor for linux) that is transitioning currently in order to support more platforms.

As the developer of BleachBit (currently supporting Linux and Windows), I am also pondering switching from GTK+ to QT. I am already considering a GUI rewrite to improve functionality and to get off of GTK+ 2, and my main problems on Windows are the native look and bloated installer.

Is qt designer still about micromanagement of positions (pixel precision) of UI elements? Or can it do like Glade (app for building GTK+ UI’s) do the right thing by giving elements a sensible padding and spacing, so that it’s very easy to reproduce a UI again (from you brain).

So it seems Miguel actually provided some good insight about GTK on Mac, so this all might not be necessary. Still it would be interesting to hear actuall advanteages from QT over GTK2/GTK3 as you keep coding. I doubt there is real demand fot iPad/Android version, been working in with telco engineers and workstation is still a must today.

@Robert The big advantage of Qt is that Windows, OS X, and Linux are all tier 1 platforms, complete with SDKs, documentation, active support, and a large, active community. Miguel is doing some amazing work but his experience with GTK+ on OS X is the exact opposite of mine.

The reason I mentioned iOS and Android is that people keep asking for it. The demand is most definitely there.

The biggest problem with Wireshark – or any other network analyzer – on iOS is that you cannot capture traffic on a non-jailbroken iOS machine; you need root access either to open BPF devices or to install a launchd LaunchDaemon to make the BPF devices available to users.

@Gerald Combs
Sorry that I have to repeat the questions regarding the QT version of wireshark for OSX. but I simply can’t find it. Where is it?
I’ve downloaded the 1.11.1 64-bit dmg, installed it and after starting the wireshark app, it tells me that it cannot run it without X11 support. I currently have no XQuartz installed, because of the recent update to Maverick.
Do I miss the correct download or is it a bug in the current package?

@Gerald Combs
Actually it looks like that the 1.11.1 version doesn’t install wireshark at all. Looks like I am starting the old version. After a complete remove of wireshark and then reinstall I can’t find the wireshark app anywhere.

Are there any plans to re-work some of the expert mode & packet analysis functions to be less memory intensive, or to be able to use files rather than memory to store computational state? I thinking about functions like RTP stream analysis or using display filters to reduce then export the capture data. Somewhere I read that these deep analysis functions were intrinsically linked to the visualization code, and thus are susceptible to the same memory limitations that Wireshark has when rendering huge captures for display.

I realize ultimately this is a big data problem (and thus not high on Wireshark’s priority list) but I figured I’d ask. I’d love to be able to just run tshark on a huge file without having to chunk it up with editcap beforehand and reassemble it after, hoping I guessed well about what chunk size to use to avoid memory issues.

Regardless, thank you Gerald and the entire dev team for all the work that goes in to producing and maintaining my favorite tool of all time.